Insufficient Transport Layer Protection.
- Use SSL / https to protect all authentication-related traffic.
- Set the server up to only use strong algorithms. See Securing Tomcat.
- Session cookies should have their "secure" flag set.
- Ensure the server SSL certificate is properly configured.
To configure Tomcat 4 so that it only uses strong encryption for SSL find the SSL Connector definition in server.xml and set the ciphers attribute:
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 --> <Connector acceptCount="100" className="org.apache.coyote.tomcat4.CoyoteConnector" debug="0" disableUploadTimeout="true" enableLookups="false" maxProcessors="150" minProcessors="5" port="8443" scheme="https" secure="true" useURIValidationHack="false" ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"> <Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory" clientAuth="false" keystoreFile="C:/ ... /conf/security/jdex.jks" keystorePass="********" protocol="TLS"/> </Connector>
In Tomcat 5:
<!-- Define a SSL HTTP/1.1 Connector on port 443 --> <Connector port="443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile=".keystore" keystorePass="*********" ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" />